A One-Line Kubernetes Fix that Saved 600 Hours a Year
Cloudflare’s Atlantis service, which orchestrates Terraform changes, was stalled for 30 minutes each restart due to a Kubernetes default that recursively reset file permissions on a massive persistent volume. The pod’s securityContext used fsGroup, causing kubelet to run a costly chgrp on millions of files whenever the volume mounted. By adding a single line—setting fsGroupChangePolicy to OnRootMismatch—the team reduced restart time to 30 seconds, eliminating 50 blocked hours per month. The change reclaimed roughly 600 engineering hours annually and cut false on‑call alerts.
Inside Gen 13: How We Built Our Most Powerful Server Yet
Cloudflare unveiled its Gen 13 server, built around a 192‑core AMD EPYC Turin 9965 processor, 768 GB DDR5‑6400 memory, 24 TB PCIe 5.0 NVMe storage and dual 100 GbE NICs. The new platform promises up to twice the throughput of Gen 12 while delivering up to 50% better...
Powering the Agents: Workers AI Now Runs Large Models, Starting with Kimi K2.5
Cloudflare announced that Workers AI now supports the frontier open‑source model Kimi K2.5, offering a 256k token context window, multi‑turn tool calling, vision inputs and structured outputs. The company demonstrated a 77% cost reduction compared with mid‑tier proprietary models by running...
Standing up for the Open Internet: Why We Appealed Italy’s "Piracy Shield" Fine
Cloudflare appealed a €14 million fine imposed by Italy’s regulator AGCOM for refusing to register with the controversial Piracy Shield scheme. Piracy Shield forces service providers to block sites within 30 minutes based on private right‑sholder requests, without judicial oversight, transparency,...
From Legacy Architecture to Cloudflare One
Cloudflare and CDW have teamed up to simplify Zero Trust migrations for large enterprises, offering a structured, risk‑aware pathway from fragmented VPNs to the Cloudflare One SASE platform. Their tiered methodology categorizes applications by complexity, moving simple SaaS first and...
Slashing Agent Token Costs by 98% with RFC 9457-Compliant Error Responses
Cloudflare now returns RFC 9457‑compliant structured Markdown and JSON error payloads to AI agents, replacing the traditional HTML error pages. Agents can request these formats via the Accept header and receive concise, machine‑readable instructions such as retry intervals or escalation guidance....
Translating Risk Insights Into Actionable Protection: Leveling up Security Posture with Cloudflare and Mastercard
Cloudflare and Mastercard are integrating Mastercard’s RiskRecon attack‑surface intelligence into the Cloudflare dashboard, enabling continuous discovery and remediation of Internet‑facing blind spots. The partnership lets security teams automatically identify shadow IT, forgotten subdomains, and unprotected cloud assets using publicly available...
Fixing Request Smuggling Vulnerabilities in Pingora OSS Deployments
In December 2025 Cloudflare was alerted to three HTTP/1.x request smuggling flaws (CVE‑2026‑2833, ‑2835, ‑2836) in the open‑source Pingora framework when used as an ingress proxy. The issues allowed attackers to bypass proxy security, desynchronize request handling, and poison caches...
Ending the "Silent Drop": How Dynamic Path MTU Discovery Makes the Cloudflare One Client More Resilient
Cloudflare One’s client now incorporates Dynamic Path MTU Discovery (PMTUD), allowing it to actively probe and adjust packet sizes instead of waiting for ICMP feedback. By testing packet sizes up to 1281 bytes and beyond, the client automatically selects the optimal...
A QUICker SASE Client: Re-Building Proxy Mode
Cloudflare has rebuilt the proxy mode of its Cloudflare One client, swapping the WireGuard‑based L3 tunnel for direct L4 proxying over QUIC. By leveraging HTTP/3 CONNECT and MASQUE, traffic remains at the transport layer, eliminating the smoltcp conversion step. Internal...
Moving From License Plates to Badges: The Gateway Authorization Proxy
Cloudflare unveiled the Gateway Authorization Proxy, a client‑less solution that shifts identity verification from the endpoint to the network. By integrating Cloudflare Access login and signed JWT cookies, the proxy can authenticate users on any device that reaches the Internet,...
Defeating the Deepfake: Stopping Laptop Farms and Insider Threats
Cloudflare announced a partnership with Nametag to embed workforce identity verification into its Cloudflare One SASE platform, targeting the emerging "remote IT worker" fraud that leverages AI‑generated deepfake IDs and laptop farms. The integration uses OpenID Connect to require a...
Evolving Cloudflare’s Threat Intelligence Platform: Actionable, Scalable, and ETL-Less
Cloudflare has launched a cloud‑first Threat Intelligence Platform (TIP) that eliminates traditional ETL pipelines using a sharded, SQLite‑backed architecture running on the edge. Threat events are distributed across thousands of Durable Objects, delivering sub‑second GraphQL queries and real‑time visualizations. The...
Modernizing with Agile SASE: A Cloudflare One Blog Takeover
Cloudflare announced a series of technical deep‑dives this week to showcase its agile SASE platform, Cloudflare One, as a solution to the growing fragmentation of legacy VPNs and hardware firewalls. The blog takeover emphasizes a single‑pass architecture that runs security...
The Truly Programmable SASE Platform
Cloudflare positions its One platform as a truly programmable SASE solution, leveraging a global network that reaches over 330 cities and sits within 50 ms of 95% of internet users. The company differentiates its offering by embedding edge‑run Workers directly into...